I don't have any XP boxes. That being said, until I see a documented story saying "I was using Windows XP (or 7 or anything) and ... " / "I didn't patch Spectre ..." / "I didn't yad yada yada ... and then this bad thing happened", it's not real. Until then it's just FUD

So are you really suggesting anyone who's system becomes compromised will automatically know their system has been compromised? Does that really make sense to you? Is all malware so poorly written that once installed, it will immediately result in "bad things happening" to
that machine such that every infected user will immediately know they are infected?
Sorry, but that is more nonsense. There is a lot of malware that is designed to be very stealthy and NOT disrupt operations of the compromised system. Some are designed, for example, to send out small, undetectable bursts of 10 or 12 small spam messages, or "socially engineered" malware laded messages to other users. Or the malware may make a couple dozen quick log-in attempts on a targeted site as part of a DDoS attack, go dormant for awhile then send a dozen more. Tasks that last just a few seconds. Malware that does NOT corrupt the infected system. There is a lot of malware designed to sit dormant and undetected until triggered by some event months or even years down the road.
And it is not whether the user applies available patches or not. Its the fact MS is no longer developing patches for XP to apply! That's not FUD, that's fact!
It is the fact "white-hat" security firms are actively working for and with Microsoft, or independently to seek out and report vulnerabilities in W10 before the bad guys can find them. That's not FUD. That's fact.
Popular anti-malware programs may still send out signature/definition updates, but many no longer provide program updates or even bug fixes and other support for XP.
AVG is a perfect case in point. And of course, Avast (as the parent company to AVG), has the same policy.
McAfee provides "
only 'best effort' support on XP" and the "
current McAfee Windows security products do not support Windows XP."
Kaspersky system requirements - no mention of XP or Vista.
Again, not FUD, but fact.
I would like to stretch your reply a bit further if I may, playing devils advocate. Isn't the above also true for W10? The only saving grace you have is that its supported and might be fixed. Might be - because its not like everything happens tomorrow.
Only? And might be? The fact it is still supported (by both MS and the anti-malware industry) is the critical difference. You can't marginalize this by suggesting that fact is insignificant or nearly insignificant.
The facts you and Lex keep ignoring is that any newly discovered vulnerability in W10
will be addressed. Microsoft
will either correct the bug, patch the flaw and/or the anti-malware industry
will protect the vulnerability from exploitation. That is a HUGE distinction between the supported Windows 10 and the unsupported XP.
I don't doubt that any of the regulars on this site are capable of securing XP for their own protection. As I said above, that is not my worry. My worry is the message, we as advisers, send to the other 99% of the users out there when we suggest the security threat with XP Is just FUD. Its not FUD, its fact. And the fact remains, infected XP systems are not likely to be patched, thus they will become and remain threats to the rest of us, and targeted organizations.
Do you really think it wise of you (speaking to those condoning and even promoting the continued use of XP) to dismiss these facts when giving advise to your friends and family workers who don't have your levels of expertise or discipline and whose computers are not under your direct control? Do you really think it wise to give such advice in forums like this where you don't truly know the level of expertise of
all the posters and potential readers?
Not only do I think it unwise, I say it is irresponsible. XP holdouts need to be told to upgrade, or switch to Linux. Simple as that. It is not like they didn't have plenty of advanced notice.
Retiring superseded and obsolete protects - especially consumer electronics - before it dies is just a fact of life. We did it with 8-Tracks, cassettes, CRT TVs and monitors, analog TVs, wireless phones and cell phone and more. The difference here is keeping old 8-Track players and CRT monitors in use did not present a security threat to us or others.